mirror of
https://github.com/henrydcase/pqc.git
synced 2024-11-23 07:59:01 +00:00
34 lines
1.4 KiB
C
34 lines
1.4 KiB
C
|
/********************************************************************************************
|
||
|
* FrodoKEM: Learning with Errors Key Encapsulation
|
||
|
*
|
||
|
* Abstract: noise sampling functions
|
||
|
*********************************************************************************************/
|
||
|
|
||
|
#include <stdint.h>
|
||
|
|
||
|
#include "api.h"
|
||
|
#include "params.h"
|
||
|
|
||
|
static uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA;
|
||
|
|
||
|
void PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(uint16_t *s, const size_t n) {
|
||
|
// Fills vector s with n samples from the noise distribution which requires 16 bits to sample.
|
||
|
// The distribution is specified by its CDF.
|
||
|
// Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output.
|
||
|
unsigned int i, j;
|
||
|
|
||
|
for (i = 0; i < n; ++i) {
|
||
|
uint8_t sample = 0;
|
||
|
uint16_t prnd = s[i] >> 1; // Drop the least significant bit
|
||
|
uint8_t sign = s[i] & 0x1; // Pick the least significant bit
|
||
|
|
||
|
// No need to compare with the last value.
|
||
|
for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) {
|
||
|
// Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits.
|
||
|
sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15;
|
||
|
}
|
||
|
// Assuming that sign is either 0 or 1, flips sample iff sign = 1
|
||
|
s[i] = ((-sign) ^ sample) + sign;
|
||
|
}
|
||
|
}
|